Getting Memcached Secure. NEC OSS Promotion Center KaiGai Kohei
|
|
- Rafe Hood
- 6 years ago
- Views:
Transcription
1 Getting Memcached Secure NEC OSS Promotion Center KaiGai Kohei
2 Self Introduction Name Company Works KaiGai Kohei NEC, OSS Promotion Center 7 years experiences of OSS development» SELinux» PostgreSQL» Memcached» Apache (mod_selinux) Memcached - selinux engine A memcached plugin to apply mandatory access control according to the SELinux policy. Page 2
3 1. Memcached and security Background Centralized security and SELinux 2. Getting Memcached secure Adjustment of security model Engine framework performing with libselinux The selinux_engine.so plugin
4 Recent web-system's architecture Fast, Fast, but but poor poor functionality Web servers The Internet Key-Value store Web application Slow, Slow, but but rich rich functionality RDBMS End Users Page 4
5 What is Memcached Memcached general purpose, high-performance, distributed memory caches Typically, used to backends of high-traffic web systems Much faster than RDBMS, but less functionalities Client Interface Script support Schemed Data Data Integrity Performance Scaling-out Security PostgreSQL SQL OK good good relatively worse not easy authentication & access controls Memcached memcached protocol OK bad bad good much easier less features Page 5
6 Memcached from security perspective (1/2) Memcached (3) (3) Not Not run run as as root root (2) (2) SASL auth, if if needed Web Apps Web Server (1) (1) Firewalling, always We have few options to keep Memcached secure :-( Should never allow to connect from external network SASL authentication Should never run as root Memcached Security; by Dustin Sallings Page 6
7 Memcached from security perspective (2/2) Memcached Any Any items accessible! Perhaps, vulnerable? Web Apps Web Server Our concern No protection from internal threats Buggy application turns an external threats into an internal threat. It means all the application must be FREE from BUGS and VULNERABILITIES! Page 7
8 Why server software applies access controls How reliable is the security feature? Consistency and Comprehensiveness Which is more preferable to apply access control? If each applications apply access control? Some of them may not be right Some of them may check nothing... Access control should be centralized. object object object object Access Control Server Application (Object Manager) Authentication Access Control Access Control Access Control Applications Page 8
9 More centralized access control (1/2) PostgreSQL Memcached Table SE-PgSQL Schema Item Item Table Table Item Item selinux_engine SQL memcached protocol System call LSM File File File Security Policy Security Server Server Filesystem SELinux Linux kernel Page 9
10 More centralized access control (2/2) SELinux a centralized security server Security Policy ie; we don't allow classified process to write an object being readable from unclassified process Filesystem Networks domain of classified processes Page 10 classified information memcached RDBMS inter process communication channels unclassified information domain of unclassified processes
11 SELinux as a Security Server (1/3) Interactions with object managers Kernel subsystems do queries via LSM. Userspace applications do queries via libselinux. Both of them control user's requests according to the decision. Security context as a common identifier system_u:system_r:memcached_t:s0 system_u:object_r:var_log_t:s0 A short formatted text, independent from object classes. Security policy A massive set of access control rules. A rule describes a set of actions to be allowed on a pair of a security context of the subject (process being accessing) and a security context of the object being accessed. Page 11
12 SELinux as a Security Server (2/3) Case of Linux Kernel staff_u:staff_r:staff_t:s0 user_u:user_r:user_t:s0 user process A read(2) read(2) write(2) write(2) user process B Subject: Subject: user_u:user_r:user_t:s0 Object: Object: user_u:object_r:user_home_t:s0 Target Target class: class: file file Applications Linux kernel File X VFS File Y LSM Security Policy file:{getattr file:{getattrread read write write...}...} SELinux system_u:object_r:etc_t:s0 user_u:object_r:user_home_t:s0 Page 12
13 SELinux as a Security Server (3/3) Case of Memcached staff_u:staff_r:staff_t:s0 user_u:user_r:user_t:s0 user process A Memcached GET GET SET SET user Subject: Subject: process user_u:user_r:user_t:s0 B Object: Object: user_u:object_r:user_item_t:s0 Target Target class: class: kv_item kv_item Applications Linux kernel Protocol Parser selinux_engine.so Item X Item Y libselinux kv_item:{read kv_item:{readwrite...}...} Security Policy SELinux user_u:object_r:user_item_t:s0 system_u:object_r:system_ro_item_t:s0 Page 13
14 1. Memcached and security Background Centralized security and SELinux 2. Getting Memcached secure Adjustment of security model Engine framework performing with libselinux The selinux_engine.so plugin
15 Needed features to be enhanced Memcached needs to get enhanced 1. Facility to retrieve security context of client process 2. Facility to assign security context on key-value item 3. Facility to ask SELinux its access control decision query system_u:system_r:user_webapp_t:s0 system_u:object_r:memcached_item_t:s0 system_u:object_r:memcached_item_t:s0 web application Protocol Parser Engine Module Item Item Item Security Policy system_u:system_r:guest_webapp_t:s0 SELinux Page 15
16 Security context of the clients getpeercon(int sockfd, security_context_t *con) It allows to retrieve security context of the client process that connected to the server using sockfd. If UNIX domain socket, no configurations are necessary If TCP/IP socket, also need to set up labeled IPsec. Labeled IPsec It uses an enhanced version of key-exchange daemon that transfers peer security context during IKE exchanges. getpeercon(3) enables to retrieve the delivered one. For more details: Introduction to Labeled Networking on Linux (Paul Moore, HP) Page 16
17 Security context of key/value item hash_item structure mchunk_t.item uint32_t nbytes uint16_t nkey uint16_t iflag Key of item Value of item uint16 flags uint16_t keylen uint32_t datalen uint32_t secid Key of item Value of item mchunk_t.label uint32_t secid uint32_t refcount security context in text form SELinux needs key-value item to be labeled But original hash_item is not designed to store a security context. Revised data format that allows to point a certain security context Large number of objects tend to share small number of security contexts Page 17
18 memcached - storage engine interface (1/2) What is the storage engine interface? An upcoming feature in memcached v1.6.x It allows a plugin to provide its mechanism to manage key/value pair. Well designed protocol between the core and engine plugin. Some plugins may provide persistent storage support. Some plugins may provide access control. : memcached protocol Protocol Parser storage engine interface xxx plugin selinux plugin SELinux memcached Page 18
19 memcached - storage engine interface (2/2) typedef struct engine_interface_v1 { : /** * Retrieve an item. * handle the engine handle cookie The cookie provided by the frontend item output variable that will receive the located item key the key to look up nkey the length of the key vbucket the virtual bucket id * ENGINE_SUCCESS if all goes well */ ENGINE_ERROR_CODE (*get)(engine_handle* handle, const void* cookie, item** item, const void* key, const int nkey, uint16_t vbucket); : } Page 19
20 Flow-chart in GET command Protocol Parser Storage Engine Interface selinux_get() GET xxx ENGINE_KEY_ENOENT No Item exists? security_compute_av() decision ENGINE_EACCESS No Allowed? /selinux/access Storage Engine Interface Return the item ENGINE_SUCCESS Security Policy SELinux Client Application Memcached Kernel Page 20
21 selinuxfs and libselinux (1/2) ~]$ ls /selinux access context load reject_unknown avc/ create member relabel booleans/ deny_unknown mls status checkreqprot disable null user class/ enforce policy_capabilities/ commit_pending_bools initial_contexts/ policyvers selinuxfs A pseudo filesystem as an interface to applications Eg; write and read on /selinux/access it asks selinux its access control decision libselinux A set of wrapper functions for selinuxfs and configuration files. Eg; security_getenforce() read /selinux/enforce Userspace access vector cache Page 21
22 selinuxfs and libselinux (2/2) extern int security_compute_av(const security_context_t scon, const security_context_t tcon, security_class_t tclass, access_vector_t required, struct av_decision *avd); security_compute_av scon... security context of the user process tcon... security context of the item to be referenced tclass... code of object class required... an obsolete argument avd It It contains bitmask of of allowed permissions.... result shall be set in this structure It writes scon, tcon and tclass to /selinux/access, then SELinux returns allowed actions on a pair of them. Page 22
23 Flow-chart in ADD command Protocol Parser Storage Engine Interface selinux_allocate() security_compute_create() default context ADD xxx create a new item with security context OPERATION_ADD selinux_store() security_compute_av() decision /selinux/create /selinux/access Storage Engine Interface ENGINE_EACCESS No ENGINE_SUCCESS Allowed? link the new item to btree-index Security Policy SELinux Client Application Memcached Kernel Page 23
24 Memcached - selinux engine To obtain the source code git clone git://github.com/trondn/memcached.git -b engine svn co Features Mandatory access control with SELinux policy Using B+tree index Persistent storage support Future works Waiting for Memcached v1.6.x release :-) Pushing the package to Fedora project Scalability improvement Comprehensive statistical information Documentations Page 24
25 Userspace access vector cache (avc) security_compute_xxx() always invokes a system-call AVC enables to cache access control decisions recently used. Query Query Page 25 Decision Decision In In heuristic, heuristic, the the rate rate to to hit hit overs overs99.9% still valid avc_has_perms() still valid validation check of userspace cache invalid reset avc cache lookup an avc entry from the cache not found Found make an avc entry check access permissions validation check of userspace cache invalid Memory Memory reference reference selinux_kernel_status mmap(2) System System call call /selinux/status /selinux/access /selinux/create Security Policy SELinux
26 Benchmark default default selinux selinux IPsec(ESP) IPsec(ESP) 191, ,409 IPsec(AH) IPsec(AH) No No IPsec IPsec 251, , number number of of commands commands in in 30sec 30sec Iteration of GET/SET mixture, 8threads-client, 4core server x 2, Gb-ether Less significant differences in same network environment default = no access control, selinux = mandatory access control Penalties in IPsec(AH) communication (~20%?) Page 26
27 Summary Why object managers apply access controls Access control should be centralized Consistency Coverage Server is better than applications, Kernel is better than servers. SELinux as a Security Server SELinux returns its access control decision, then object manager control accesses according to the decision. User and data object need to be identified with security context. Using libselinux Libselinux encapsulates raw accesses to selinuxfs. Userspace access vector cache reduces number of kernel invocations Page 27
28 Any Questions?
29 Thank you!
SE-PostgreSQL. System-wide consistency of access control. NEC OSS Promotion Center KaiGai Kohei
SE-PostgreSQL System-wide consistency of access control NEC OSS Promotion Center KaiGai Kohei Self Introduction Name Company Works KaiGai Kohei NEC, OSS Promotion Center 7 years
More informationLAPP/SELinux. A secure web application stack using SE-PostgreSQL. KaiGai Kohei NEC OSS Promotion Center
LAPP/SELinux A secure web application stack using SE-PostgreSQL KaiGai Kohei NEC OSS Promotion Center Self Introduction SELECT * FROM pg_developers WHERE name = 'KaiGai' Job NEC
More informationSecurity-Enhanced. - System-wide consistency in Access Control - NEC OSS Promotion Center KaiGai Kohei
Security-Enhanced PostgreSQL - System-wide consistency in Access Control - NEC OSS Promotion Center KaiGai Kohei Who is KaiGai? Primary developer of SE-PostgreSQL 5 year's experience
More informationApplication of the Flask Architecture to the X Window System Server
Application of the Flask Architecture to the X Window System Server Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency National Information Assurance Research Laboratory ( NIARL ) 1 Overview of
More informationUsing GConf as an Example of How to Create an Userspace Object Manager
Using GConf as an Example of How to Create an Userspace Object Manager James Carter National Security Agency Abstract GConf is a configuration system for GNOME. It does not provide adequate security controls
More informationSE Linux Implementation LINUX20
SE Linux Implementation LINUX20 Russell Coker IBM eserver pseries, Linux, Grid Computing and Storage Technical University 7/7/2004 Licensed under the GPL Topic Objectives In this topic students will learn
More informationSecurity Enhanced Linux. Thanks to David Quigley
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4
More informationThe Developer Meeting Agenda - Advanced Security Features - NEC OSS Promotion Center KaiGai Kohei
The Developer Meeting Agenda - Advanced Security Features - NEC OSS Promotion Center KaiGai Kohei My Topics in v9.1 External Security Providers Step.1 Reworks existing access controls
More informationReal Life Web Development. Joseph Paul Cohen
Real Life Web Development Joseph Paul Cohen joecohen@cs.umb.edu Index 201 - The code 404 - How to run it? 500 - Your code is broken? 200 - Someone broke into your server? 400 - How are people using your
More informationIntroduction to Labeled Networking on Linux
Introduction to Labeled Networking on Linux Paul Moore paul.moore@hp.com 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Agenda Labeled
More informationModule: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security So, you have built an operating system that enables user-space processes to
More informationSELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com
SELinux Introduction Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com Overview 1. Who am I? 2. What is SELinux? 3. DAC vs MAC 4. Type Enforcement 5. Labels 6. Sometimes SELinux denies badness
More informationRCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:
Logical Diagram VFS, Continued Don Porter CSE 506 Binary Formats RCU Memory Management File System Memory Allocators System Calls Device Drivers Networking Threads User Today s Lecture Kernel Sync CPU
More informationVFS, Continued. Don Porter CSE 506
VFS, Continued Don Porter CSE 506 Logical Diagram Binary Formats Memory Allocators System Calls Threads User Today s Lecture Kernel RCU File System Networking Sync Memory Management Device Drivers CPU
More informationWhat's New with SELinux
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in
More informationSecurity Enhanced Linux
Security Enhanced Linux Bengt Nolin beno9295@student.uu.se October 13, 2004 Abstract A very brief introduction to SELinux; what it is, what is does and a little about how it does it. 1 1 Background 1.1
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationSELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany
SELinux Updates Thorsten Scherf Senior Consultant Red Hat Global Professional Services 01.12.2011 Berlin / Germany Agenda SELinux review What happened to strict policy Policy customization and development
More informationMetadaten Workshop 26./27. März 2007 Göttingen. Chimera. a new grid enabled name-space service. Martin Radicke. Tigran Mkrtchyan
Metadaten Workshop 26./27. März Chimera a new grid enabled name-space service What is Chimera? a new namespace provider provides a simulated filesystem with additional metadata fast, scalable and based
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationProxySQL's Internals
ProxySQL's Internals What is ProxySQL? A "Layer 7" database proxy MySQL / ClickHouse protocol aware High Performance High Availability Architecture Overview Clients connect to ProxySQL Requests are evaluated
More informationUnit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus
Linux system administrator-i Unit 1: Get Started with the GNOME Graphical Desktop Objective: Get started with GNOME and edit text files with gedit Unit 2: Manage Files Graphically with Nautilus Objective:
More informationCovering indexes. Stéphane Combaudon - SQLI
Covering indexes Stéphane Combaudon - SQLI Indexing basics Data structure intended to speed up SELECTs Similar to an index in a book Overhead for every write Usually negligeable / speed up for SELECT Possibility
More informationExtensible Kernel Security through the TrustedBSD MAC Framework
03/13/2004 Extensible Kernel Security through the TrustedBSD MAC Framework Robert Watson, Research Scientist HIP Group, 03/13/2004 Page 2 Introduction Rationale for Security Extensions TrustedBSD MAC Framework
More informationNoSQL & Firebase. SWE 432, Fall Web Application Development
NoSQL & Firebase SWE 432, Fall 2018 Web Application Development Review: Nouns vs. Verbs URIs should hierarchically identify nouns describing resources that exist Verbs describing actions that can be taken
More informationUtilizing Databases in Grid Engine 6.0
Utilizing Databases in Grid Engine 6.0 Joachim Gabler Software Engineer Sun Microsystems http://sun.com/grid Current status flat file spooling binary format for jobs ASCII format for other objects accounting
More informationC-Bindings for BTNS APIs
C-Bindings for BTNS APIs Miika Komu Sasu Tarkoma Nicolas Williams < nicolas.williams@sun.com> Michael Richardson What Problem Are We Solving?
More informationPREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX
PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX Final Report 12/10/09 Mike Detwiler UMBC Student CMSC Course 426 Baltimore, MD Det1@umbc.edu Peter Coddington UMBC Student CMSC Course 626 Baltimore, MD
More informationDistribution Kernel Security Hardening with ftrace
Distribution Kernel Security Hardening with ftrace Because sometimes your OS vendor just doesn't have the security features that you want. Written by: Corey Henderson Exploit Attack Surface Hardening system
More informationSecurity Enhanced Linux
Security Enhanced Linux Security Group Meeting 29 November 2002 Steven J. Murdoch http://www.cl.cam.ac.uk/users/sjm217/ Computer Laboratory, University of Cambridge Copyright c Steven. J. Murdoch p.1 Summary
More informationWhy I seldom file bugs against SELinux policy
Why I seldom file bugs against SELinux policy Jan Pazdziora Sr. Principal Software Engineer OpenShift Security, Red Hat jpazdziora@redhat.com 26 th January 2018 SELinux policy in distribution Distributions
More informationPersistence. SWE 432, Fall 2017 Design and Implementation of Software for the Web
Persistence SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Demo: Promises and Timers What is state in a web application? How do we store it, and how do we choose where to store
More informationSELinux. Daniel J Walsh SELinux Lead Engineer
SELinux Daniel J Walsh SELinux Lead Engineer 0 Day Exploits Patch Cycle Someone discovers a vulnerability in software Package Maintainer and OS Vendor Notified Fix generated/distributed Fix installed by
More informationgrib_api.h File Reference
grib_api.h File Reference Copyright 2005-2013 ECMWF. More... Defines #define GRIB_API_VERSION (GRIB_API_MAJOR_VERSION*10000+G RIB_API_MINOR_VERSION*100+GRIB_API_REVISION_VERSI ON) #define GRIB_SECTION_PRODUCT
More informationPASTE: Fast End System Networking with netmap
PASTE: Fast End System Networking with netmap Michio Honda, Giuseppe Lettieri, Lars Eggert and Douglas Santry BSDCan 2018 Contact: @michioh, micchie@sfc.wide.ad.jp Code: https://github.com/micchie/netmap/tree/stack
More information<Insert Picture Here> MySQL Cluster What are we working on
MySQL Cluster What are we working on Mario Beck Principal Consultant The following is intended to outline our general product direction. It is intended for information purposes only,
More informationPostgreSQL clusters using streaming replication and pgpool-ii
How to manage a herd of elephants: PostgreSQL clusters using streaming replication and pgpool-ii SRA OSS, Inc. Japan Tatsuo Ishii About me Came from Tokyo, Japan PostgreSQL committer Original author of
More informationECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017
ECE 550D Fundamentals of Computer Systems and Engineering Fall 2017 The Operating System (OS) Prof. John Board Duke University Slides are derived from work by Profs. Tyler Bletsch and Andrew Hilton (Duke)
More informationInternet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016
Internet Technology 06. Exam 1 Review Paul Krzyzanowski Rutgers University Spring 2016 March 2, 2016 2016 Paul Krzyzanowski 1 Question 1 Defend or contradict this statement: for maximum efficiency, at
More informationThe Aggregator plugin PRINTED MANUAL
The Aggregator plugin PRINTED MANUAL Aggregator plugin All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying,
More informationUnix Device Memory. James Jones XDC 2016
Unix Device Memory James Jones XDC 2016 Background Started with a Weston patch proposal Many strong views Much time invested in current software and APIs Thank you for keeping discussions civil Many areas
More informationNetwork stack virtualization for FreeBSD 7.0. Marko Zec
Network stack virtualization for FreeBSD 7.0 Marko Zec zec@fer.hr University of Zagreb Network stack virtualization for FreeBSD 7.0 slide 1 of 18 Talk outline Network stack virtualization what, why, and
More informationLecture 8: Other IPC Mechanisms. CSC 469H1F Fall 2006 Angela Demke Brown
Lecture 8: Other IPC Mechanisms CSC 469H1F Fall 2006 Angela Demke Brown Topics Messages through sockets / pipes Receiving notification of activity Generalizing the event notification mechanism Kqueue Semaphores
More informationTopics. Lecture 8: Other IPC Mechanisms. Socket IPC. Unix Communication
Topics Lecture 8: Other IPC Mechanisms CSC 469H1F Fall 2006 Angela Demke Brown Messages through sockets / pipes Receiving notification of activity Generalizing the event notification mechanism Kqueue Semaphores
More informationChecklist for Testing of Web Application
Checklist for Testing of Web Application Web Testing in simple terms is checking your web application for potential bugs before its made live or before code is moved into the production environment. During
More informationVirtual File System. Don Porter CSE 506
Virtual File System Don Porter CSE 506 History ò Early OSes provided a single file system ò In general, system was pretty tailored to target hardware ò In the early 80s, people became interested in supporting
More informationThe State of Samba (June 2011) Jeremy Allison Samba Team/Google Open Source Programs Office
The State of Samba (June 2011) Jeremy Allison Samba Team/Google Open Source Programs Office jra@samba.org jra@google.com What is Samba? Provides File/Print/Authentication services to Windows clients from
More informationRDBE Host Software. Doc No: X3C 2009_07_21_1 TODO: Add appropriate document number. XCube Communication 1(13)
RDBE Host Software Doc No: X3C 2009_07_21_1 TODO: Add appropriate document number XCube Communication 1(13) Document history Change date Changed by Version Notes 09-07-21 09:12 Mikael Taveniku PA1 New
More informationpgmemcache and the over reliance on RDBMSs Copyright (c) 2004 Sean Chittenden. All rights reserved.
pgmemcache and the over reliance on RDBMSs Copyright (c) 2004 Sean Chittenden. All rights reserved. sean@chittenden.org Tenets of Fast Applications Fast == Good Slow == Bad Disk IO == Bad Memory == Good
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationTU Dresden: A Large-Scale Plone Deployment Case Study
Media Center TU Dresden: A Large-Scale Plone Deployment Case Study Dresden, 10/20/17 Motivation There is no real new stuf here Provide feedback to the wider Plone community 2/38 Starting Point 3/38 Starting
More informationOS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2
OS COMPONENTS OVERVIEW OF UNIX FILE I/O CS124 Operating Systems Fall 2017-2018, Lecture 2 2 Operating System Components (1) Common components of operating systems: Users: Want to solve problems by using
More informationReplay Caching is a Pain
Replay Caching is a Pain Kerberos AP exchange requires replay caching Replays bad rcaches usually hard to get right, and slow Regular disks 120 fsync()s per-disk/second Clustering ouch! Want to do something
More informationPgpool-II Development Status Updates. Pgpool-II Global Development Group
Pgpool-II Development Status Updates Pgpool-II Global Development Group 2 We are moved! Due to closing of pgfoundry, we have moved to new web site(november 2011) http://www.pgpool.net Hosted by SRA OSS,
More information<Insert Picture Here> MySQL Web Reference Architectures Building Massively Scalable Web Infrastructure
MySQL Web Reference Architectures Building Massively Scalable Web Infrastructure Mario Beck (mario.beck@oracle.com) Principal Sales Consultant MySQL Session Agenda Requirements for
More informationRelease Notes for Snare Linux Agent Release Notes for Snare for Linux
Release Notes for Snare for Linux InterSect Alliance International Pty Ltd Page 1 of 17 About this document This document provides release notes for the Snare Enterprise Agent for Linux. InterSect Alliance
More informationThe Scheduler & Hotkeys plugin PRINTED MANUAL
The Scheduler & Hotkeys plugin PRINTED MANUAL Scheduler & Hotkeys plugin All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including
More informationRed Hat Ceph Storage Release Notes
Red Hat Ceph Storage 1.3.2 Release Notes Release notes for Red Hat Ceph Storage 1.3.2 Red Hat Ceph Storage Documentation Team Red Hat Ceph Storage 1.3.2 Release Notes Release notes for Red Hat Ceph Storage
More informationSELinux Basics. Clint Savage Fedora Ambassador. Fedora Classroom November 9, 2008
SELinux Basics Clint Savage Fedora Ambassador Fedora Classroom November 9, 2008 What is SELinux? Another layer of security Created by the NSA / Red Hat Helps add to the multiple layers of defense Generally
More informationPostgreSQL Database and C++ Interface (and Midterm Topics) ECE 650 Systems Programming & Engineering Duke University, Spring 2018
PostgreSQL Database and C++ Interface (and Midterm Topics) ECE 650 Systems Programming & Engineering Duke University, Spring 2018 PostgreSQL Also called Postgres Open source relational database system
More informationTrustworthy Whole-System Provenance for the Linux Kernel
Trustworthy Whole-System Provenance for the Linux Kernel Adam Bates, Dave (Jing) Tian, Thomas Moyer, and Kevin R. B. Butler In association with USENIX Security Symposium, Washington D.C., USA 13 August,
More informationVirtual File System. Don Porter CSE 306
Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting
More informationLinux multi-core scalability
Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org Overview Scalability theory Linux history Some common scalability trouble-spots Application workarounds Motivation
More informationClustered Samba Challenges and Directions. SDC 2016 Santa Clara
SDC 2016 Santa Clara Volker Lendecke Samba Team / SerNet 2016-09-20 (2 / 18) SerNet Founded 1996 Offices in Göttingen and Berlin Topics: information security and data protection Specialized on Open Source
More informationRCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support
Logical Diagram Virtual File System Don Porter CSE 506 Binary Formats RCU Memory Management File System Memory Allocators System Calls Device Drivers Networking Threads User Today s Lecture Kernel Sync
More informationInternet Technology 3/2/2016
Question 1 Defend or contradict this statement: for maximum efficiency, at the expense of reliability, an application should bypass TCP or UDP and use IP directly for communication. Internet Technology
More informationNational Aeronautics and Space and Administration Space Administration. cfe Release 6.6
National Aeronautics and Space and Administration Space Administration cfe Release 6.6 1 1 A Summary of cfe 6.6 All qualification testing and documentation is now complete and the release has been tagged
More informationProcesses. Process Concept
Processes These slides are created by Dr. Huang of George Mason University. Students registered in Dr. Huang s courses at GMU can make a single machine readable copy and print a single copy of each slide
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationImprove Web Application Performance with Zend Platform
Improve Web Application Performance with Zend Platform Shahar Evron Zend Sr. PHP Specialist Copyright 2007, Zend Technologies Inc. Agenda Benchmark Setup Comprehensive Performance Multilayered Caching
More informationReform: A Domain Specific Language
Reform: A Domain Specific Language Dustin Graves October 5, 2007 Overview Scripting language Monitors and manages data streams Network, File, RS-232, etc Reformats and redirects data Contains keywords
More informationsottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani
Titolo presentazione Piattaforme Software per la Rete sottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to Sockets 2) UDP communication 3) TCP communication 4) RAW
More informationDatabase extensions for fun and profit. Andrew Dalke Andrew Dalke Scientific, AB Gothenburg, Sweden
Database extensions for fun and profit Andrew Dalke Andrew Dalke Scientific, AB Gothenburg, Sweden Set the Wayback Machine to 1997! Relational databases - strings and numbers - SQL - clients written in
More informationOperating System Structure
Operating System Structure Heechul Yun Disclaimer: some slides are adopted from the book authors slides with permission Recap OS needs to understand architecture Hardware (CPU, memory, disk) trends and
More informationLast class: Today: Thread Background. Thread Systems
1 Last class: Thread Background Today: Thread Systems 2 Threading Systems 3 What kind of problems would you solve with threads? Imagine you are building a web server You could allocate a pool of threads,
More informationSwitching to Innodb from MyISAM. Matt Yonkovit Percona
Switching to Innodb from MyISAM Matt Yonkovit Percona -2- DIAMOND SPONSORSHIPS THANK YOU TO OUR DIAMOND SPONSORS www.percona.com -3- Who We Are Who I am Matt Yonkovit Principal Architect Veteran of MySQL/SUN/Percona
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationRTView Data Server SL Corporation. All Rights Reserved Sherrill-Lubinski Corporation. All Rights Reserved.
RTView Data Server Data Server - Benefits By default, RTView clients connect to data sources (SQL, TIBCO, JMX, etc) directly. However, data from any source can be redirected through the Data Server. Reasons
More informationA new Distributed Security Model for Linux Clusters
A new Distributed Security Model for Linux Clusters Makan.Pourzandi@Ericsson.Com Open Systems Lab Montréal Canada June, 2004 Rev PA1 07/05/04 1 Outline Context Distributed Security Distributed Access Control
More informationLinux Kernel Security Update LinuxCon Europe Berlin, 2016
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999
More informationNetworking in a Vertically Scaled World
Networking in a Vertically Scaled World David S. Miller Red Hat Inc. LinuxTAG, Berlin, 2008 OUTLINE NETWORK PRINCIPLES MICROPROCESSOR HISTORY IMPLICATIONS FOR NETWORKING LINUX KERNEL HORIZONTAL NETWORK
More informationHow to Back Up Linux/UNIX Data Using SSHFS
The articles in this section refer to Barracuda Backup Legacy Release firmware or newer. Barracuda Backup uses the SSH Filesystem (SSHFS) and public key authentication to connect and back up Linux data.
More informationCA Workload Automation (DE) Internals and Troubleshooting. Lee Stecklov
CA Workload Automation (DE) Internals and Troubleshooting Lee Stecklov Terms of This Presentation This presentation was based on current information and resource allocations as of October 2009 and is subject
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationWeb Applications. Software Engineering 2017 Alessio Gambi - Saarland University
Web Applications Software Engineering 2017 Alessio Gambi - Saarland University Based on the work of Cesare Pautasso, Christoph Dorn, Andrea Arcuri, and others ReCap Software Architecture A software system
More information1Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12
1 Insert Information Protection Policy Classification from Slide 12 Getting Started with MySQL Santo Leto Principal Technical Support Engineer, MySQL Jesper Wisborg Krogh Principal Technical Support Engineer,
More informationAdvanced Systems Security: Security-Enhanced Linux
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationArchitectural Styles I
Architectural Styles I Software Architecture VO/KU (707023/707024) Roman Kern KTI, TU Graz 2015-01-07 Roman Kern (KTI, TU Graz) Architectural Styles I 2015-01-07 1 / 86 Outline 1 Non-Functional Concepts
More informationFundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin, ydlin@cs.nctu.edu.tw Chapter 1: Introduction 1. How does Internet scale to billions of hosts? (Describe what structure
More informationFirst order of Business
First order of Business First order of Business You probably feel like this MBE TA s Hardware Enforced Model 0: Privileged, Kernelspace 3: Restricted, Userspace Hardware Enforced Model 0: Privileged,
More informationThe Power of Batching in the Click Modular Router
The Power of Batching in the Click Modular Router Joongi Kim, Seonggu Huh, Keon Jang, * KyoungSoo Park, Sue Moon Computer Science Dept., KAIST Microsoft Research Cambridge, UK * Electrical Engineering
More informationSecure PostgreSQL Deployment
Secure PostgreSQL Deployment PGDay'14 Russia St Petersburg, Russia Magnus Hagander magnus@hagander.net PRODUCTS CONSULTING APPLICATION MANAGEMENT IT OPERATIONS SUPPORT TRAINING Magnus Hagander PostgreSQL
More informationNFS Version 4 Open Source Project. William A.(Andy) Adamson Center for Information Technology Integration University of Michigan
NFS Version 4 Open Source Project William A.(Andy) Adamson Center for Information Technology Integration University of Michigan NFS Version 4 Open Source Project Sponsored by Sun Microsystems Part of CITI
More informationOpen Source support for OSD
Open Source support for OSD IBM Haifa Research Lab IBM Labs in Haifa 2006 IBM Corporation Outline IBM Labs in Haifa Object Based Storage (OSD) OSD Initiator Past Going forward OSD Simulator on AlphaWorks
More informationOverview. Wait, which firmware? Threats Update methods request_firmware() hooking Regression testing Future work
http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook (pronounced Case ) Overview Wait, which firmware? Threats Update methods request_firmware()
More informationNUMA replicated pagecache for Linux
NUMA replicated pagecache for Linux Nick Piggin SuSE Labs January 27, 2008 0-0 Talk outline I will cover the following areas: Give some NUMA background information Introduce some of Linux s NUMA optimisations
More informationVersion Major Deployments. TVA Entergy PG&E Dominion Every openpdc installation (via stats and/or active phasor archive)
Version 1.0 - Major Deployments TVA Entergy PG&E Dominion Every openpdc installation (via stats and/or active phasor archive) 2 Version 1.0 - Current State Stable, mature product optimized to store time-series
More informationSELinux. Thorsten Scherf. Red Hat EMEA. October 2015
SELinux Thorsten Scherf Red Hat EMEA October 2015 What is wrong with UNIX security? Programs have full control over the access given to files they create (Discretionary Access Control DAC) Therefore no
More informationOperating System Security: Building Secure Distributed Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Operating System Security:
More information